rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update with Miroslav patch to handle role attributes

Browse Source 
- Update Translations
- import sepolicy will only throw exception on missing policy iff selinux is enabled
This commit is contained in:
Dan Walsh 2013-01-09 08:37:32 -05:00
parent 6be5fbacb4
commit 422fcbbd1a
3 changed files with 1647 additions and 1418 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2928
policycoreutils-rhat.patch
View File

File diff suppressed because it is too large Load Diff

128
policycoreutils-sepolgen.patch
View File

@ -12,3 +12,131 @@ index 73c60f6..d636091 100644
boottime = time.strftime("%X", s) boottime = time.strftime("%X", s)
output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime], output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
stdout=subprocess.PIPE).communicate()[0] stdout=subprocess.PIPE).communicate()[0]
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index a4adbd8..6a3019c 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -91,8 +91,10 @@ tokens = (
'CLASS',
# types and attributes
'TYPEATTRIBUTE',
+ 'ROLEATTRIBUTE',
'TYPE',
'ATTRIBUTE',
+ 'ATTRIBUTE_ROLE',
'ALIAS',
'TYPEALIAS',
# conditional policy
@@ -153,8 +155,10 @@ reserved = {
'class' : 'CLASS',
# types and attributes
'typeattribute' : 'TYPEATTRIBUTE',
+ 'roleattribute' : 'ROLEATTRIBUTE',
'type' : 'TYPE',
'attribute' : 'ATTRIBUTE',
+ 'attribute_role' : 'ATTRIBUTE_ROLE',
'alias' : 'ALIAS',
'typealias' : 'TYPEALIAS',
# conditional policy
@@ -489,6 +493,7 @@ def p_policy_stmt(p):
| avrule_def
| typerule_def
| typeattribute_def
+ | roleattribute_def
| interface_call
| role_def
| role_allow
@@ -496,6 +501,7 @@ def p_policy_stmt(p):
| type_def
| typealias_def
| attribute_def
+ | attribute_role_def
| range_transition_def
| role_transition_def
| bool
@@ -542,6 +548,7 @@ def p_require(p):
'''require : TYPE comma_list SEMI
| ROLE comma_list SEMI
| ATTRIBUTE comma_list SEMI
+ | ATTRIBUTE_ROLE comma_list SEMI
| CLASS comma_list SEMI
| BOOL comma_list SEMI
'''
@@ -727,6 +734,11 @@ def p_attribute_def(p):
a = refpolicy.Attribute(p[2])
p[0] = a
+def p_attribute_role_def(p):
+ 'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
+ a = refpolicy.Attribute_Role(p[2])
+ p[0] = a
+
def p_typealias_def(p):
'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
t = refpolicy.TypeAlias()
@@ -819,6 +831,13 @@ def p_typeattribute_def(p):
t.attributes.update(p[3])
p[0] = t
+def p_roleattribute_def(p):
+ '''typeattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI'''
+ t = refpolicy.RoleAttribute()
+ t.role = p[2]
+ t.roleattributes.update(p[3])
+ p[0] = t
+
def p_range_transition_def(p):
'''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
| RANGE_TRANSITION names names names SEMI'''
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index 1399225..b07550a 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -117,6 +117,10 @@ class Node(PolicyBase):
"""Iterate over all of the TypeAttribute children of this Interface."""
return itertools.ifilter(lambda x: isinstance(x, TypeAttribute), walktree(self))
+ def roleattributes(self):
+ """Iterate over all of the RoleAttribute children of this Interface."""
+ return itertools.ifilter(lambda x: isinstance(x, RoleAttribute), walktree(self))
+
def requires(self):
return itertools.ifilter(lambda x: isinstance(x, Require), walktree(self))
@@ -356,6 +360,20 @@ class TypeAttribute(Leaf):
def to_string(self):
return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str())
+class RoleAttribute(Leaf):
+ """SElinux typeattribute statement.
+
+ This class represents a typeattribute statement.
+ """
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.role = ""
+ self.roleattributes = IdSet()
+
+ def to_string(self):
+ return "roleattribute %s %s;" % (self.role, self.roleattributes.to_comma_str())
+
+
class Role(Leaf):
def __init__(self, parent=None):
Leaf.__init__(self, parent)
@@ -400,6 +418,15 @@ class Attribute(Leaf):
def to_string(self):
return "attribute %s;" % self.name
+class Attribute_Role(Leaf):
+ def __init__(self, name="", parent=None):
+ Leaf.__init__(self, parent)
+ self.name = name
+
+ def to_string(self):
+ return "attribute_role %s;" % self.name
+
+
# Classes representing rules
class AVRule(Leaf):

7
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.13 Version: 2.1.13
Release: 52%{?dist} Release: 53%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -338,6 +338,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Wed Jan 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-53
- Update with Miroslav patch to handle role attributes
- Update Translations
- import sepolicy will only throw exception on missing policy iff selinux is enabled
* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-52 * Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-52
- Update to latest patches from eparis/Upstream - Update to latest patches from eparis/Upstream
- secon: add support for setrans color information in prompt output - secon: add support for setrans color information in prompt output